In 1995, I started my Navy training as an Aviation Electronics Technician. I spent more than a year learning electrical theory, how to use sophisticated tools (like time domain reflectors) and the logic associated with troubleshooting avionics. I was ready to go to mano a mano against any aircraft that was daft enough to challenge my acumen.
From Foo to Flow Charts
As I walked out onto the flight line for the first time to troubleshoot a RADAR gripe, I discovered my hand-to-hand combat was not going to happen. I went into the forward wheel well of the F/A 18 and pushed a button that displayed a three digit code. I looked up that code and it pointed me to a flowchart. I did the steps and by the time I was finished, the RADAR was working again. Over the next six years I would repeat that process thousand of times. I rarely had an opportunity to flex my mental muscle to get an aircraft back to fully mission capable.
Where are my InfoSec Flow Charts?
After spending 7 years as an avionics technician, I returned to digital security by standing up the Network Security Group at the US Naval Postgraduate School in 2002. I was still an active duty sailor and fully expected there to be a library of books on how to perform InfoSec operations. I was dumbfounded to find the opposite true. I could not understand why nothing existed in military or private sector that defined “if this happens, do that.” There were no flowcharts or playbooks – just vague guidance.
As I contemplated why business operations were so different from the Flight Deck and the Security Operations Center, I came to realize that the core challenge was craft maturity. The Birthday of Naval Aviation is May 8th, 1911. By the time I had reported to my first aircraft squadron, more than 80 years of lessons learned had been made. Those lessons lead to the standardization of the craft of aviation maintenance that I came to take for granted. While the birthday of InfoSec can debated, it is certainly less than 25 years old. There are few crafts in the world that are more green.
Resurrection of Intrusion Detection
In 2003, Gartner made an ill-advised declaration that “IDS is Dead.” It was prompted in part by organizations not wanting to spend the money to build SOC and Incident Response Teams. The burden was put on product vendors to automatically block and contain attacks. Organizations stopped investing in InfoSec operations and a Golden Age of Cybercrime began.
Between then and now, I have worked with public and private sector organizations to recover from the developmental deficiencies of ignoring Security Operations for a decade.
Systemic Failure in SECOPS
The SECOPS hiatus created a vacuum in process development (no one needed them) and process tools. As I worked as product vendor deploying a tool that provided great incident response capabilities, I regularly discovered that the organizations I was selling to did not have the process or cycles to use the tool.
To better understand how I might help, I began to offer cost free business assessments to my Fortune 500 customers. We would do some simple math. We would count how many investigations needed to happen each day and how much time needed to be spent on each cycle.
In every one of the assessments, I discovered that the required full-time employees (FTE) to staff the required work was 50 to 200 times more that current staffing levels. This explained why these analyst and operators were so cynical and exhausted – they accomplished less than 1% of their workload each day.
WitFoo is Born
Digging deeper into why the workload was so high lead to research with like minded people. We decided we were going to find a way to mature the craft of InfoSec by providing the process, data, training and tools that would allow hard working responders win at their work everyday and make cyber crime harder as a result. A dozen of us started testing and prototyping in our spare time. With the help of some Fortune 500, Top Universities and national MSSP partners, we’ve been making some great strides in forming a clear picture of what success will look like. Stay tuned to hear details of what we’re cooking (or man up and join our Beta testing!)
Metering Incident Response 101 >>